Denial of Service Attacks
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
1 / 45
Denial of Service (DoS) Attacks
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
2 / 45
■ Attack availability■ No direct benefit to the attacker, except for
the victim’s pain■ (But there are some exceptions)■ Major problem on today’s Internet
History
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
3 / 45
■ Most viruses and worms simply perpetrate DoSattacks
■ The phone system has experienced prank DoSattacks
■ Must distinguish attacks from “flash crowds”,also known as the “Slashdot Effect”
What Can be DoSed?
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
4 / 45
■ Bandwidth — clog the link■ CPU time — make someone do expensive
calculations■ Memory — tie up system state■ More generally, DoS can occur any time it
costs less for an attacker to send a messagethan to process it
First Internet DoS Attack
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
5 / 45
■ Attacker sends many SYN packets from aforged source address
■ The SYN+ACK packets go nowhere■ No ACK to them ever arrives; the connection
stays half-open■ Why is this a DoS?
The TCP State Diagram
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
6 / 45
CLOSED
LISTEN
SYNRCVD
SYNSENT
ESTAB
FINWAIT-1
CLOSEWAIT
FINWAIT-2
CLOSINGLASTACK
TIMEWAIT
CLOSED
passive OPEN (create TCB) CLOSE (delete TCB)
active OPEN (create TCB; send SYN)
CLOSE (delete TCB)
rcv SYN (send SYN, ACK) SEND (send SYN)
rcv SYN(send SYN, ACK)
CLOSE (send FIN)
rcv ACK of FIN CLOSE (send FIN)
rcv ACK of FIN (delete TCB)rcv ACK of FINrcv FIN (send ACK)
2*MSL timeout(delete TCB)
rcv FIN (send ACK)
CLOSE (send FIN) rcv FIN (send ACK)
rcv ACK of SYN rcv SYN, ACK (send ACK)
SYN Flooding
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
7 / 45
■ An arriving SYN sends the “connection” intoSYN-RCVD state
■ It can stay in this state for quite a while,awaiting the acknowledgment of theSYN+ACK packet, and tying up memory
■ For this reason, the number of connections fora given port in SYN-RCVD state is limited
■ Further SYN packets for that port are dropped■ The trick is the address forgery — if the
attacker impersonates a non-existent host,neither the SYN+ACK nor a RST will everarrive
■ The port is thus blocked
Defenses
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
8 / 45
■ Anti-spoofing■ Better data structures■ SYN cookies
Anti-Spoofing
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
9 / 45
■ Conceptually simple, but requires wide-scaledeployment
■ Get most — all? — ISPs to filter outboundpackets, to prevent spoofing
■ Very hard — ISPs don’t want to do that; it’sexpensive for some
■ Can still have local spoofing■ But — can blacklist entire site if necessary
Better Data Structures
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
10 / 45
■ No reason to allocate full protocol controlblock for just a SYN packet
■ Allocate something much more compact, andraise the limit on half-open connections
■ Can handle many more, but the attacker canstill win
Attacking Compact Data Structures
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
11 / 45
■ Bare minimum to store: 32-bit address, 16-bitport number, at least part of initial sequencenumber — call it 64 bits
■ (Actually, must be higher)■ Allocate 256MB to connection table■ Assume each entry can persist for 10 seconds■ Attacker can keep it filled with bandwidth of
about 200M bps — not a lot for a large site
Generic Solution
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
12 / 45
■ Don’t create state until necessary■ In particular, don’t create connection state
until you know that the far end is there■ General idea: encode (and cryptographically
seal) state into some value sent from theserver to the client
■ The client returns the state in its third message■ The server unseals the state, makes sure it’s
authentic, and then creates the connection
SYN Cookies
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
13 / 45
■ Generally credited to Dan Bernstein (thoughthere’s some evidence that others had the idea(but didn’t publish widely) first
■ Basic idea: generate the server’s ISN from atime counter, the client’s MSS, and a 24-bitcryptographic function of the timec counterand the connection four-tuple
■ When the client’s ACK message comes in,validate the connection data from the 24-bitfunction, and create the connection controlblock using the data in the ACK packet
It’s Not Perfect
Denial of ServiceAttacksDenial of Service(DoS) Attacks
History
What Can beDoSed?First Internet DoSAttackThe TCP StateDiagram
SYN Flooding
Defenses
Anti-Spoofing
Better DataStructuresAttacking CompactData Structures
Generic Solution
SYN Cookies
It’s Not Perfect
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
14 / 45
■ Certain TCP features can’t be handled, or arehandled imperfectly
■ Solution: fall back to this if and only if underattack
■ It’s better than no connection at all
CPU Denial of Service
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
15 / 45
CPU Denial of Service
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
16 / 45
■ Using SYN cookies requires CPU time for acryptographic calculation
■ Suppose the attacker wants to exhaust CPUtime
■ Better yet, think of TLS — RSA calculationsare very expensive
■ Need a way to rate-limit requests fromcompromised clients
Puzzles
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
17 / 45
■ General solution: create a puzzle that’sexpensive to solve but cheap to verify
■ Puzzle difficulty should be tunable, in responseto server load
■ Before doing any expensive work, challenge theclient to solve the puzzle
■ Not a serious problem for legitimate clients;should pose a considerable burden for attackers
Hash Puzzle
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
18 / 45
■ Generate n, a difficulty metric, and a randomvalue x
■ Send the client 〈n, h(x), x′ 〉, where x′ is x
with the low-order n bits set to zero and h is acryptographic hash function
■ Client must find x
■ Client’s guesses – and its answer — arevalidated by calculating h(x) and seeing if itmatches the server’s value
Why it Works
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
19 / 45
■ Since h is a cryptographic hash function (i.e.,SHA-1), there is no faster way to find x from〈n, h(x), x′ 〉 than brute force
■ This takes 2n−1 operations on average■ A guess is easy to validate; it takes just 1
operation
Why it Doesn’t Work
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
20 / 45
■ Attackers have lots of machines■ It’s easier for the attacker to throw more
machines at the problem than it is for thedefender
■ (If the server increases n too much, it’sdifficult for legitimate clients)
History
Denial of ServiceAttacks
CPU Denial ofServiceCPU Denial ofService
Puzzles
Hash Puzzle
Why it Works
Why it Doesn’tWork
History
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
21 / 45
■ Attack not (yet?) seen in the wild■ Similar to anti-spam technique (“hash cash”)
proposed in 1992■ Merkle used puzzles in an early approach to
public key-like key distribution■ Laurie and Clayton showed why it doesn’t
work against spam
Distributed Denial of ServiceAttacks (DDoS)
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
22 / 45
Distributed Denial of Service Attacks
(DDoS)
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
23 / 45
■ Most common form of DoS today■ Exhaust network bandwidth■ Uses large network of compromised “zombies”
or “bots”■ “Command and control” node tells bots what
to do■ IRC frequently used for control channels■ Newer ones use peer-to-peer meshes
History
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
24 / 45
■ First seen in late 1999■ Comments in the code suggested that a
massive attack was scheduled for December 31— just in time to exacerbate possible Y2Ktroubles
■ Fortunately, neither happened
Address-Spoofing
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
25 / 45
■ Early versions used address-spoofing — makeit harder to trace or filter bots
■ As a result, early defense attempts focused ontraceback
■ Most newer attacks don’t bother withaddress-spoofing — because traceback andfiltering don’t work
Too Many of Them!
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
26 / 45
■ A defender can’t do much with a list of 10,000bots
■ Tracing down the person responsible istime-consuming and sometimes futile
■ Most routers can’t handle a filter list with10,000 entries
Building Botnets
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
27 / 45
■ Get someone to run the bot software■ Use “come and get it” with infected “free”
software■ Use web pages with nasty ActiveX controls
(plus trickery to make users accept them)■ Use exploits to penetrate machines, possibly
via worms■ Buy or rent them■ Steal them!
Bot-Jacking
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
28 / 45
■ Bot-jacking — stealing botnets from other badguys
■ To prevent this, some bots patch othersecurity holes on “their” machines
■ One recent one includes current anti-virussoftware!
State of the Art
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
29 / 45
■ Modern bots are fully updatable by the botherd■ Download new software to them for bug fixes
or new functions: spam, DDoS, scanning, etc.■ Many bots use encrypted communications
channels
Uses of Botnets
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
30 / 45
■ Primary uses: DDoS and spamming■ (Spamming is a denial of service attack on
mailers!)■ DDoS primarily used for extortion, especially
against sports-betting sites■ They have a time-sensitive product and can’t
outwait the bad guys■ (Occasional use: revenge against other bad
guys)
Combination Attacks
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Distributed Denial ofService Attacks(DDoS)
History
Address-Spoofing
Too Many of Them!
Building Botnets
Bot-Jacking
State of the Art
Uses of BotnetsCombinationAttacks
Defenses
Other DoS Attacks
31 / 45
■ DDoS can be used as part of other attacks■ Example: interrupt communication to SecurID
servers■ Example: divert people to “backup” bank site
as part of phishing attack
Defenses
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
32 / 45
Defending Against DDoS
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
33 / 45
It’s Not Quite that Bad. . .
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
34 / 45
■ No comprehensive defenses■ Some heuristic defenses■ Still an active research area
Heuristic Defenses
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
35 / 45
■ Overprovision■ Black-hole routing■ Filter anomalies■ Replication
Overprovisioning
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
36 / 45
■ Design DDoS-proof site with really big pipes■ Ideally, ride out multi-gigabit attack■ Of course, there are really big botnets, too
Black-Hole Routing
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
37 / 45
■ Set up ISP routing to make it really easy todivert all traffic for the victim to a sinkhole
■ The ISP takes the victim site off the air!■ But — it avoids collateral damage to other
sites■ Most DDoS attacks have been relatively
short-lived
Anomaly Filtering
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
38 / 45
■ DDoS traffic usually isn’t perfectly “normal”■ TTLs, protocols, etc., are often unusual■ Route traffic through filtering boxes; filter
based on these anomalies■ Imperfect, but frequently good enough
Pushback
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
39 / 45
■ When a router output link is overloaded, seewhich input links the packets are coming from
■ Tell the upstream nodes to rate-limit packetsto this router
■ Apply the algorithm recursively
Data Flow
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
DefensesDefending AgainstDDoSIt’s Not Quite thatBad. . .
Heuristic Defenses
Overprovisioning
Black-Hole Routing
Anomaly Filtering
Pushback
Data Flow
Other DoS Attacks
40 / 45
R1
R2
R3
R4
R6
R7
R0
R5
L0
L1L2
L3
L4L5
L6
L7
Pushback Messages
Heavy traffic flow
Other DoS Attacks
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
Other DoS Attacks
Bayesian Filter
Reflector Attacks
Program Availability
41 / 45
Other DoS Attacks
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
Other DoS Attacks
Bayesian Filter
Reflector Attacks
Program Availability
42 / 45
■ Bayesian filter■ Program availability■ Reflector attacks
Bayesian Filter
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
Other DoS Attacks
Bayesian Filter
Reflector Attacks
Program Availability
43 / 45
■ Bayesian filters are used for anti-spam■ Spammers have sometimes sent email carefully
crafted to consume most CPU cycles onBayesian filters
■ Result: sites turn off the filters to let email gothrough
■ Consequence: spam gets through, too
Reflector Attacks
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
Other DoS Attacks
Bayesian Filter
Reflector Attacks
Program Availability
44 / 45
■ Attacker sends a small packet with a forgedsource address to some service, especially theDNS
■ The packet generates a much larger response■ This response is sent to the forged source
address■ Attacker gets a multiplier effect, and hides, too
Program Availability
Denial of ServiceAttacks
CPU Denial ofService
Distributed Denial ofService Attacks(DDoS)
Defenses
Other DoS Attacks
Other DoS Attacks
Bayesian Filter
Reflector Attacks
Program Availability
45 / 45
■ Find bugs and exploit them, to crash someprograms
■ Persistent worry: is there a penetration exploit,too?
■ If you see lots of core dumps on your system,worry. . .